Authentication Services

If the user has Diffie-Hellman keys, pam_sm_authenticate() establishes secret keys for the user specified by the PAM_USER (equivalent to running keylogin(1)), using the authentication token found in the PAM_AUTHTOK item. Not being able to establish the secret keys results in an authentication error if the NIS+ repository is used to authenticate the user and the NIS+ table permissions require secure RPC
credentials to access the password field. If pam_sm_setcred() is called with PAM_ESTABLISH_CRED and the user's secure RPC credentials need to be established, these credentials are set. This is equivalent to running keylogin(1).

If the credentials could not be set and PAM_SILENT is not specified, a diagnostic message is displayed. If pam_setcred() is called with PAM_DELETE_CRED, the user's secure RPC credentials are unset. This is equivalent to
running keylogout(1).

PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return PAM_IGNORE.

Authentication Token Management

The pam_sm_chauthtok() implementation checks whether the old login password decrypts the users secret keys. If it doesn't this module prompts the user for an old Secure RPC password and stores it in a pam data item called SUNW_OLDRPCPASS.
This data item can be used by the store module to effectively update the users secret keys.

Errors

The authentication service returns the following error codes:

PAM_SUCCESS

Credentials set successfully.

PAM_IGNORE

Credentials not needed to access the password repository.

PAM_USER_UNKNOWN

PAM_USER is not set, or the user is unknown.

PAM_AUTH_ERR

No secret keys were set. PAM_AUTHTOK is not set, no credentials are present or there is a wrong password.

PAM_BUF_ERR

Module ran out of memory.

PAM_SYSTEM_ERR

The NIS¯+ subsystem failed .

The authentication token management returns the following error codes: